Operational risk is in the spotlight like never before. The disasters of the 2008 global financial crisis and the wave of conduct and compliance scandals that followed were facilitated in part, or in full, by the absence of a mature risk culture within a great number of firms across the financial sector. In particular, a failure to provide the operational risk function with a substantive platform – from which to influence strategic planning and challenge senior management – exposed the sector to costly risk management lapses that could have been avoided. The subprime mortgage crash in the US, the payment protection insurance (PPI) mis-selling debacle in the UK, and various ‘rogue trader’ incidents since can trace their origins to weak internal controls and a disconnect between firms’ risk management processes and strategic objectives.
These failings claimed the scalps of several venerable institutions and brought the financial sector as a whole to the brink of collapse. In response, regulators ramped up supervision to unprecedented heights. As a result, today’s regulatory environment places a premium on strong operational risk management. Thomas Curry, the Comptroller of the Currency in the US, explained in November 2014 that financial regulators must ensure banks have “appropriate internal controls, a strong risk management framework, and compensation programmes that incent employees to abide by the bank’s rules and culture.”
Power, influence and challenge
The question now is: are firms responding to the regulators’ challenge? The survey’s findings on the influence of operational risk on firms’ senior management and strategic planning were hopeful, but mixed. While 69% of respondents report that operational risk is cited in minutes of the board or risk committee, only 24% say they carry out operational risk reviews or assessments of strategic plans (figure 1). In addition, 15% state they do not evidence operational risk in their strategic planning and 9% say they discount considerations of operational risk entirely. Just 10% say their operational risk profile reports include details of relationships with other risks such as credit, market and strategic risk.
These are concerning findings that should make regulators sit up and take notice, especially since they have not been shy about impressing on firms the importance of operational risk in recent years. In September 2014, the US Office of the Comptroller of the Currency (OCC) published heightened standards for large financial institutions. These state that firms should establish and adhere to a written risk governance framework to manage and control their risk-taking activities, among other minimum standards.
Having the op risk function engage with strategic planning to a greater degree would be one way firms could alleviate regulators’ fears. In the post-crisis landscape, regulators have emphasised that risk management should be less about looking in the rear-view mirror and more about looking at the road ahead; identifying upcoming risks and mitigating their impact ahead of time. The Forward-Looking Economic Assessments conducted by the Federal Reserve from 2009 onwards are a good example of this new model in action.
A deficient operational risk function can have implications beyond earning a firm the chagrin of its regulators. Large operational risk losses are a very real consequence for firms that do not adequately empower the risk function to influence and challenge management decisions. A weak operational risk culture can also result in incentives slipping out of alignment with risk appetite, allowing individuals within a firm to take risky actions. This was the case in the UK PPI scandal, where the Financial Services Authority suggested that the incentive schemes established to increase sales implicitly encouraged mis-selling by individuals.
The potential reputational and material fallout resulting from the absence of a strong risk culture, however, does not seem to have incentivised a meaningful transfer of power to the operational risk function. Most respondents to the survey say they do not have real powers to challenge business decisions, and do not see it as an area in which they can add significant value. Only 8% put “establishing credible challenge processes” as one of their top three operational risk priorities for their first-line personnel (businesses line leaders and managers) (figure 2), and only 17% say they have the authority to stop business decisions against the will of business-line managers – the rest having only, at best, advisory input (figure 3).
Clearly, there is still some way to go before operational risk has the necessary sway – or even feels the need to ramp up its effectiveness – at senior management level to offer a credible challenge to the business. Another survey finding suggests this may be having a detrimental effect on efforts to link the first line of defence with the principles of operational risk management. Asked to rank the skill set and performance of the various stages of the op risk function, survey respondents ranked first-line managers lowest.
Furthermore, 61% say their abilities are low to moderate – behind those even of the executive management and the board of directors. Although training in operational risk is often listed as a priority task for first-line managers, it does not seem to have brought about significant improvements in their proficiency in this area.
The operational risk function also lacks a significant voice in decisions on compensation. Just 16% of respondents include compensation in the scope of the operational risk function (figure 4). Even more worryingly for regulators, only 1% of those surveyed consider introducing meaningful impacts to the compensation packages of first-line personnel to be a priority.
This is unexpected considering the emphasis placed by regulators on how a disconnect between compensation and risk acts to facilitate risk management failures. The OCC heightened standards, for instance, for firms to provide “compensation tools to appropriately motivate and retain talent that does not encourage imprudent risk taking”.
Meanwhile, in the UK, the Financial Conduct Authority (FCA) has penalised banks specifically on account of poorly designed sales incentive schemes that the regulator said could have encouraged misconduct and mis-selling. The FCA also released proposals in July 2014 for an expanded use of deferred compensation, as part of a general overhaul of pay.
The industry itself makes a great noise about the causal link between risk management failures and pay decisions. Yet, according to the survey, many are still to put those words into action.
The expansion of the operational risk function’s workload is expected to continue unabated, according to more than 70% of survey respondents – perhaps unsurprisingly, given the regulatory focus on issues such as corporate culture, conduct risk, cybersecurity and other components of the operational risk landscape (figure 5). But, this increased profile is not expected to be all good news. Only 22% are confident their staff will be able to cope with this increased burden. Meanwhile, 49% say their staff levels are inadequate, even for their current responsibilities, and few expect a dramatic increase in staffing, with “no change” the most popular prediction of staffing levels over the next 12–18 months, at 44%.
Some firms may also be guilty of under-resourcing their operational risk functions, at least in terms of the number of personnel dedicated to this risk factor. Asked for the numbers of operational risk staff employed at their firms, survey responses suggest a significant variation among firms. At one end of the scale, several companies with hundreds or even thousands of risk personnel say they have fewer than 50 operational risk staff, while others say that – of risk teams 1,000–1,500 strong – between 300 and 500 were engaged.
At a more granular level, the picture is rather brighter. Studying the three questions together – How adequate is your staffing? How do you expect your responsibilities to grow? How do you expect your staffing to grow? – just over one-quarter (26%) of respondents fall into the ‘crisis’ area, where the workload is expected to overwhelm their staff. The rest were more or less optimistic, believing either that their existing teams could handle the work they expect to be given (36%), or that they would receive extra staff to cope with any increase (38%).
While the number of personnel assigned to operational risk may not be up to scratch in some firms, this does not seem to have constrained the spreads of a healthy risk culture across the industry. Survey respondents list “enhancing risk culture” as an area in which they believe operational risk teams contribute the most value to the business, 20% of total participants (figure 6). More than two-thirds (69%) include this objective in their formal operational risk management frameworks.
Of those respondents who do not put this objective front and centre, it is perhaps a reflection of the weak recognition granted the operational risk function at senior management level in these firms, as revealed in the survey data. It could also be that the pace of regulatory change is causing some firms to lag behind. Twenty per cent say regulatory demands are the top challenge they face in keeping their operational risk function up to date with organisational change.
External loss data
Another striking finding from the survey was the low priority placed on the use of external loss data. Only 1% of managers say that they were one of the most valuable parts of the operational risk management process, compared to 91% for internal loss data. Twenty-eight per cent do not use this data at all for modelling or reporting. Since external loss events feature as one of the four components of an operational risk capital model under the Basel II capital adequacy rules, along with internal losses, scenario analyses, and business environment and internal control factors (BEICF), it may have been expected to rank higher in firms’ list of priorities.
Yet, caution around the use of external loss data in models is largely justified. In fact, regulators have been generally less energetic in encouraging the use of external data than in ensuring banks use their own internal loss data as an input for operational risk capital models – citing difficulties in assessing how losses at one bank are applicable to another. This is reinforced by the survey findings, in which only 5% of respondents say it is something they are being pressurised by regulators to improve. For internal losses, scenario analyses, and BEICF, the figures are 13%, 11% and 20%, respectively (figure 7).
Anecdotally, operational risk managers say external losses are valuable for rhetorical purposes – to get past the ‘it couldn’t happen’ barrier and convince management that a risk is worth spending money on to prevent. Twenty-six per cent of respondents say that “significant external loss events at peers” were part of their operational risk profile reports to senior management, suggesting this is yet to be considered a core component of most firms’ op risk programmes.
Ultimately, the survey results suggest the operational risk function is growing in stature within financial institutions – albeit slowly. The march of progress is also far from uniform. While it is true that operational risk is now firmly in the crosshairs of firms’ senior management, its significance as a factor in strategic planning remains patchy across the industry. Interestingly, the survey implies there is a lack of urgency among risk personnel themselves to embed operational risk among first-line managers, not to mention in decisions on compensation.
Yet the industry and regulators alike can take some hope from the cultural shift under way. With more than two-thirds of those surveyed saying enhancing risk culture is a core tenet of their op risk managment, perhaps this onward march will be quickened in the years to come.
Operational Risk & Regulation surveyed 229 operational risk professionals at banks, asset managers, brokerages and other institutions around the world. Surveys were conducted confidentially through a web interface. Not all respondents replied to all questions.
The 2014 State of Operational Risk Management survey was carried out with support from Protiviti.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email email@example.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email firstname.lastname@example.org